CVE-2025-0849

MediumPublic PoC

Published: 30 January 2025

Published

30 January 2025

Modified

04 February 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0003 9.9th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.

Security Summary

CVE-2025-0849 is a critical improper authorization vulnerability in CampCodes School Management Software version 1.0. The issue affects an unknown function within the /edit-staff/ file of the Staff Handler component. Published on 2025-01-30T02:15:25.783, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs 266, 285, and NVD-CWE-noinfo.

A low-privileged remote attacker can exploit this vulnerability with low complexity and no user interaction. Exploitation enables improper authorization, allowing limited impacts on confidentiality, integrity, and availability, such as unauthorized data exposure and updates.

Advisories detail the issue on VulDB (ctiid.294012, id.294012, submit.487618), with a GitHub PDF describing sensitive super admin data exposure and unauthorized updates via IDOR from teacher to super admin roles. The vendor site is campcodes.com. The exploit has been publicly disclosed and may be used.

Details

CWE(s): CWE-266CWE-285NVD-CWE-noinfo

Affected Products

campcodes

school management software

1.0

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1087.001 Local Account Discovery

Adversaries may attempt to get a listing of local system accounts.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

T1213.004 Customer Relationship Management Software Collection

Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.

attack.mitre.org →

Why these techniques?

The IDOR vulnerability enables low-privileged teacher accounts to discover sensitive super admin details (T1087.001, T1213.004 in CRM software) and perform unauthorized updates to admin account data (T1098), facilitating privilege escalation via improper authorization exploitation (T1068).

References

https://github.com/KhukuriRimal/Vulnerabilities/blob/main/Sensitive%20Super%20Admin%20Data%20Exposure%20and%20Unauthorized%20Data%20Update%20via%20IDOR%20(Teacher%20Role%20to%20Super%20Admin%20Role).pdf
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.294012
Permissions Required · cna@vuldb.com
https://vuldb.com/?id.294012
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.487618
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.campcodes.com/
Product · cna@vuldb.com